<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><div><div><div><div><div><div><div>Hi,<br><br></div>I'm contacting the list after doing some Google-foo and not finding anything - not sure if this is due to my searching skills, or because nobody ever asked about this... pardon me if it's a known issue, and a link to a relevant resource would be appreciated in such a case.<br>
<br></div>I'm using Nginx as a reverse HTTP proxy to Tomcat, primarily for the purpose of doing OCSP stapling.<br><br></div>When Nginx starts for the first time, and there's no cached OCSP response, the first client to try an OCSP will fail; I understand that this is by design, and I've overcome it by simply 'warming' the cached manually by using OpenSSL's s_client... of course I'll be happy to learn there's a way to make Nginx block and get OCSP response if there's a cache miss (I understand that blocking every time in case of OCSP server being down won't help performance much, but I guess cache can be negative in such a case, instead of a miss, and maybe this is already the case...)<br>
<br></div>Anyways, that's not the main issue I have.<br><br>The main issue I have is that when a revoked certificate is being used by Nginx, and an OCSP is being conducted against the server port where this certificate is served. <br>
<br>Watching the packets arriving from <a href="http://ocsp.digicert.com" target="_blank">ocsp.digicert.com</a> via Wireshark, I see the OCSP response saying that the certificate is revoked (so, Nginx seems to be querying the OCSP server fine?), and I also see this in Nginx's error log:<br>
<br>2014/04/07 17:44:41 [error] 27005#0: certificate status "revoked" in the OCSP response while requesting certificate status, responder: <a href="http://ocsp.digicert.com" target="_blank">ocsp.digicert.com</a><br>
<br></div>Yet, the OpenSSL s_client, even after multiple attempts (so the cache should be "warm"), returns that no OCSP response was returned from the server... <br>
<br></div>Naturally, I would expect the response to be proxied by Nginx back to the client.<br><br></div>What am I missing / doing wrong? :)<br><br>Thanks a lot!<span class="HOEnZb"><font color="#888888"><span><font color="#888888"><br>
<br></font></span></font></span></div><span class="HOEnZb"><font color="#888888">
<span><font color="#888888">-- Shimi<br></font></span></font></span></div>
</div><br></div>
</div><br></div>